OpenStack Keystone LDAP Flaw Exposes Disabled Users

The National Vulnerability Database (NVD) has flagged a significant vulnerability, CVE-2026-40683, affecting OpenStack Keystone’s LDAP identity backend. This flaw, rated with a CVSS score of 7.7 (HIGH), stems from an improper boolean conversion in Keystone versions prior to 28.0.1. Specifically, when the user_enabled_invert configuration option is set to False (which is the default behavior), the LDAP identity backend fails to correctly interpret the user enabled attribute from LDAP as a boolean.

According to the NVD, the _ldap_res_to_model method within the UserApi class only performed the necessary string-to-boolean conversion when user_enabled_invert was explicitly set to True. Consequently, if user_enabled_invert remained False, Keystone would directly use the raw string value from LDAP, such as “FALSE”. Given Python’s treatment of non-empty strings as ‘truthy’ values, users designated as disabled within LDAP were erroneously recognized as enabled by Keystone. This critical misinterpretation allowed these supposedly disabled users to authenticate successfully and execute actions within the OpenStack environment. The NVD warns that any OpenStack deployments leveraging the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are susceptible to this vulnerability (CWE-843).